Data Classification Policy

Version: 1.00Issue Date: 1/20/2015

This Data Classification Policy specifies how information/data is classified. The classification of information or data will affect the security measures which should be in place to protect it.

1.0 Overview

This Data Classification Policy will help ensure that data is properly classified so it will be protected adequately for its needs. All staff members and anyone having custody of data for the organization should be familiar with this policy especially those who are the business owners of data. They should know the information labeling and handling guidelines for each level of data.

This Data Classification Policy should help make it clear what information can and cannot be disclosed outside the organization or even internally based on business need, confidentiality requirements of the data, and the security level of the individuals involved.

2.0 Purpose

This Data Classification Policy is intended to ensure that all information or data is properly classified so it is properly protected against unauthorized exposure, unauthorized or inaccurate changes, or loss.

3.0 Scope

This Data Classification Policy applies to all data or information whether stored in electronic form, stored in a hard copy, shared verbally, or shared visually. It applies to any data or information stored or used by the organization. This Data Classification Policy addresses classification of data but does not address how the data is handled based on sensitivity. The Information Sensitivity Policy defines how data is stored and transmitted based on sensitivity. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Data - The term data refers to information but is typically used to describe information stored or transmitted in electronic format.
  • Information - The term information refers to knowledge which may be stored in any form, whether printed or in electronic form. Information includes data but data does not include all information.
  • Confidential - Information to be kept secret or private and should not be shared with others unless required by a business function and with authorization.
  • Sensitive - Information, which when released can cause an irritation or problem for one or more individuals or organizations.
  • Private - Information which belongs to an individual or organization and is not publically known.
  • Data owner - The person, organization, or department which either created the data or that the data describes such as name and address.
  • Data custodian - The person, organization, or department with posession of the data. Custodianship may be shared between the business staff and technical staff since business staff use the data and technical staff maintain the equipment that the data is stored on and take actions to keep the data available and secure.

The differences between confidential, sensitive, and private are negligable and somewhat obscure, so the use of more than one of these terms to describe a data class would not be very effective.

5.0 Data Classification

As a broad set of categories, data is either public (non-sensitive) or private (AKA sensitive or private). However, due to the fact that different levels of damage can result from unauthorized disclosure, inaccurate modification, or data loss, data is categorized into four categories by this policy. The data is classified according to the potential level of damage. The owners of the data must determine the level of data sensitivity.

When categorizing data, the need for confidentiality, integrity, and availability (CIA) must be considered and the potential damage if any one of the three is lost. The highest rating should be used to categorize the data although the system the data is hosted on should consider which of the three are most important regarding the system design. Two examples are shown below.

CIALow/Moderate/High
ConfidentialityModerate
IntegrityHigh
AvailabilityLow
Final ClassificationHigh (Top Secret)
CIALow/Moderate/High
ConfidentialityLow
IntegrityModerate
AvailabilityLow
Final ClassificationModerate (Secret)

Some documentation shows data classification to have two main classes but two main classifications of sensitivity are not enough for most organizations unless they want most or all systems to be able to handle the most sensitive data. This can actually cost more. This system of classification is similar to that used by the US Government and reflect potential damage levels. The classifications are:

  • Public (No label) No damage - This information is already available to the public or availability to the public will cause no damage. This information may be called non-sensitive information. Keep in mind that even public information may have integrity requirements that call for enough security to prevent unauthorized modification.
  • Confidential (label as confidential) Low damage - Information that is released to the public or unauthorized persons could cause minor embarrassment and/or damage and only require administrative action for correction.
  • Secret (label as secret) Moderate damage - Information released to the public or unauthorized persons could cause significant embarrassment and/or damage in money, property, or personnel to the organization or require legal action.
  • Top Secret (label as top secret) High damage - Affecting the organization seriously - Information released to the public or unauthorized persons could cause grave damage, loss of life, or major monetary damage.

Private information may include personal information about individuals not intended for public disclosure, restricted data, intellectual property, protected data such as trade secrets, information about business partners or information held for business partners.

Question concerning the proper classification of specific data should be directed to your manager. Questions concerning this policy or associated guidelines should be directed to organizational management.

6.0 Classification Guidelines

Below are listed the data classifications and types of data are listed in each one.

  • None - Information available through the Freedom of Information Act (FoIA).
  • Low - Email addresses, Personal addresses, telephone numbers, organizational telephone directories, supplier information, non-critical schematics and system designs, disaster recovery plans.
  • Medium - Personal addresses with name and telephone number, some intellectual property, customer order information, critical schematics and system designs, most information covered by non-disclosure agreements, employee performance reviews, risk assessments, system control information.
  • High - Social security numbers, drivers license numbers, credit card numbers, most trade secrets, some intellectual property, financial information about individuals or organizations, account names, passwords, medical records, information required for legal proceedings.

An annual review of these classification categories in light of legal, statutory, regulatory, contractual and general business requirements shall be performed to be sure these classification categories are relevant and practical. These categories shall be modified as appropriate with published changes to this policy and the Information Sensitivity Policy made as required.

An organizational security officer should be responsible for implementing and communicating this data classification scheme. This officer should oversee the classifications and make sure they are reviewed periodically and kept current.

7.0 Data Responsibilities

For all data, the data owners and data custodians must be identified. The data owners or data custodians must determine the category of the data. It is the responsibility of the data owner or data custodian to determine the category of the data. The data owner should be the person to determine the category but if there is no data owner in the organization, it may be necessary that the data custodian determines the category. Since custodianship is shared between the business and technical staff, agreement for the classification must be reached. A procedure should be created to arrive at a conclusion to the process of determining the data category. Data owners should:

  • Determine the data sensitivity category.
  • Determine who is authorized to read, modify, and store data.
  • Determine when data should be deleted and archived.
  • Determine what programs may be used to access the data or modify the data.
  • Reclassify their data as the sensitivity needs change.
  • Identify critical data and systems for the business.

All users are responsible for handling data according to its classification in compliance with the Information Sensitivity Policy.

The security level of the data and its proper handling must be considered from the start of a project, during implementation and over the lifetime of the project.

8.0 Default Data Classification

All data shall have a default data classification level which shall be used until the data is classified according to its sensitivity level or for unclassified data. The recommended default data classification level is confidential or secret depending on the nature of your organization.

9.0 Other Policies

  • Information Sensitivity Policy - Specifies how data is handled, stored, and transmitted through the project lifecycle based on its sensitivity category.
  • Equipment and Media Disposal Policy
  • Mobile Computer Policy and Mobile Device Policy

10.0 Enforcement

Since data classification is important for protecting data stored by the organization and prevent damage, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

11.0 Other Requirements

  • Training programs for staff members and data owners should be developed and put in place. Programs for data owners must ensure that the data owners have enough knowledge to understand the potential damage due to loss, unauthorized disclosure, or lack of integrity of their data. They must be informed enough to balance the need for security against cost.
  • A process for identifying data owners must be put in place. This may vary from organization to organization but generally will be the management of projects that are created to provide a service or function to the business or organization. Sometimes the data owners may be outside the organization and it must be considered that the owners of the data are those whom the data is about such as names/addresses or those who created the data. Therefore sometimes, only data custodians may be inside the organization and the data owners may be outside the organization.
  • A detailed process for the data owners or data custodians to categorize data must be created. The procedures must support the ability to reclassify the data as the sensitivities change. This is especially true for data that is time sensitive.
  • Develop tools to help data owners determine the sensitivity level of their data. The tools should provide criteria to help define which sensitivity category data should be placed in.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________